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ABSTRACT 

Secure distance bounding (DB) protocols allow one entity, 
the verifier, to securely obtain an upper-bound on the dis- 
tance to another entity, the prover. Thus far, DB was con- 
sidered mostly in the context of a single prover and a single 
verifier. There has been no substantial prior work on se- 
cure DB in group settings, where a set of provers interact 
with a set of verifiers. The need for group distance bounding 
(GDB) is motivated by many practical scenarios, including: 
group device pairing, location-based access control and se- 
cure distributed localization. GDB is also useful in mission- 
critical networks and automotive computer systems. This 
paper addresses, for the first time, GDB protocols by uti- 
lizing the new passive DB primitive and the novel mutual 
multi-party GDB protocol. We show how they can be used 
to construct secure and efficient GDB protocols for various 
settings. We analyze security and performance of our pro- 
tocols and compare them with existing DB techniques when 
applied to group settings. 

1. INTRODUCTION 

Wireless networks - especially, sensor and mobile ad-hoc 
networks, have become increasingly popular. Enabled by 
pervasive availability of location information, new wireless 
scenarios have emerged where accurate proximity informa- 
tion is essential to both applications and basic networking 
functions. Such scenarios require secure, reliable and effi- 
cient verification of distances between nodes, in addition to 
node authentication. Distance Bounding (DB) can address 
such scenarios by allowing one entity (verifier) to obtain 
an upper-bound on the distance to another entity (prover) 
and, optionally, authenticate the latter. DB was introduced 
by Brands and Chaum Q as a means of preventing the so- 
called "mafia fraud" attacks on bank ATlVlfl In Brands and 
Chaum's DB approach, a user's smart-card (verifier) checks 
its proximity to the ATM (prover). DB has been recently 
implemented |fl9l using commercial off-the-shelf electron- 
ics (resulting in 15cm accuracy). It was also suggested and 
implemented as a means of securely determining node loca- 



1 A "mafia fraud" attack occurs when the attacker identifies itself to 
the verifier using the identity of a prover, without the latter being 
aware (i.e., man-in-the-middle attack). 



tions in wireless networks 

In most prior work, DB was considered in the context of a 
single prover and a single verifier. Group Distance Bounding 
(GDB) is the natural extension of the DB concept to group 
settings with multiple provers and verifiers. Multiple veri- 
fiers provide several advantages including: higher attack re- 
silience and improved availability (by avoiding a single point 
of compromise or failure), in addition to facilitating localiza- 
tion using multilateration. The common goal in applications 
that require GDB is: several devices must securely measure 
distances between themselves or should only operate in the 
vicinity of each other. 

GDB is motivated by the following emerging wireless ap- 
plications: group device pairing - a procedure for setting up 
an initial secure channel among a group of previously unfa- 
miliar wireless devices. There are several scenarios where 
this is required, e.g., when an ephemeral ad-hoc group of 
users meet. Each user has a personal wireless device that 
must establish a secure channel with devices of other users. 
One concrete example using cell-phones is described in ifTTIl . 
Another scenario is that of a single user with multiple de- 
vices, e.g, in a home area network J5J. A secure mechanism 
is required to ensure that the group of communicating de- 
vices is clustered within a particular area, i.e., each device is 
within a certain distance from every other device. The mu- 
tual multi-party GDB protocol (Section [3~3l ) achieves this. 

Another application that can benefit from GDB is auto- 
motive computer systems. Recent research |10| pointed out 
vulnerability of such systems to attacks through wireless in- 
terfaces (demonstrated in |3j using relay attacks). As more 
components of such systems communicate wirelessly, it be- 
comes critical to ensure that the origin of communication 
is from within the car to prevent relay attacks. Ensuring 
that such components only communicate with each other 
prevents attacks through unauthorized or outside malicious 
components. The mutual multi-party GDB protocol (Section 
13 - 31 > achieves this. 

GDB is also useful in critical, e.g., military, MANETs 
where a key operational requirement is to track locations of, 
and authenticate, friendly nodes J2). Critical MANETs gen- 
erally operate without any infrastructure and in hostile en- 
vironments where node compromise is quite realistic. GDB 
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can be used to implement location based-access control and 
location-based group key management in critical MANETs. 
Both mutual multi-party GDB (Section [33l ) and passive DB 
(Section lXTl ) can be used in such settings. 

In this paper, we show that a straightforward extension 
of previous single prover single verifier DB to GDB is in- 
efficient and insecure if used for localization without syn- 
chronization between verifiers (which was also pointed out 
in El). We explore and propose more efficient and secure 
GDB approaches. We make the following contributions: 

- Definition of Group Distance Bounding ( GDB) 

- New primitives: Passive DB and Mutual Multi-Party GDB 

- A set of secure and efficient GDB protocols 

- Security and performance analysis of proposed protocols 

The rest of the paper is organized as follows: we overview 
traditional DB protocols, formulate the GDB problem and 
state our system and adversary models in Section [2] We 
present details and security analysis of our GDB building 
block primitives in Section [3] We then show how to use 
these building blocks to construct GDB protocols in both 
one-way and mutual GDB settings in Section |4] We ana- 
lyze performance and security of GDB protocols in Section 
[5] We discuss related work in Section [6] and conclude with 
open issues and future work in Section|7] 

2. BACKGROUND AND PROBLEM STATE- 
MENT 

We begin with an overview of DB protocols, followed by 
the problem statement and system model. 

2.1 Overview of Distance Bounding (DB) 

Figure Q] shows the generic DB protocol operation. The 
core of any one-way DB protocol is the distance measure- 
ment phase, whereby the verifier measures round-trip time 
between sending its challenge and receiving the reply from 
the prover. Verifier's challenges are unpredictable to the 
prover and replies are computed as a function of these chal- 
lenges. Thus, the prover cannot reply to the verifier before 
receiving its challenges. The prover, therefore, cannot pre- 
tend to be closer to the verifier than it really is (only further). 
First, the verifier and the prover each generate n 6-bit nonces 
Ci and 7"i (1 < i < rt), respectively. In the Brands-Chaum 
DB protocol JH, the prover also commits to its nonces (us- 
ing any secure commitment scheme). The verifier sends all 
Ci to the prover, one at a time. Once each Ci is received, the 
prover computes, and responds with a function of its own 
nonce and that of the verifier, /(c;, r^). The verifier checks 
the reply and measures the elapsed time between each chal- 
lenge and response. The process is repeated n times and the 
protocol completes successfully only if all n rounds succeed 
and all responses correspond to prover's committed value. 
The processing time on the prover's side a = tf — must 
be negligible (compared to the time of flight); otherwise, a 
computationally powerful prover could claim a false bound. 
This time might be tolerably small, depending on the un- 
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Figure 1: Basic DB Operation. 



derlying technology, the distance measured and the required 
security guarantees (less than Insec processing time yields 
0.15m accuracy Ifl9l ). 

Security of DB protocols relies on two assumptions: (1) 
challenges are random, and unpredictable to the prover be- 
fore being sent by the verifier, and (2) challenges traverse 
the distance between the prover and the verifier at maximum 
possible speed, i.e., the speed of electromagnetic waves. Af- 
ter executing a DB protocol, the verifier knows that distance 
t v -t v 

to the prover is at most — — f 



f — - • c, where a is the process- 
ing time of prover (ideally, negligible) and c the speed of 
light DB protocols typically require (2n + C) messages, 
where C is the number of messages exchanged in the pre- 
and post-processing protocol phases. Typically, C << n 
and thus can be ignored. 

In some cases (e.g., distributed localization), there is a 
need for mutual DB between two parties: Pi and P^. This 
can be achieved by modifying the one-way DB protocol such 
that each response from P2 to a challenge by Pi also in- 
cludes a challenge from P2 to Pi . This requires 2n + 2C + 1 
messages instead of 2(2n + C) for mutual DB and is shown 
in ||25l . Both parties generate and commit to two random bit 
strings [ci, C2, c n ] and [si, S2, s n }. Pi starts by send- 
ing the first challenge bit ci and P2 replies with ci © s\. Pi 
measures the time between sending ci and receiving the re- 
sponse. Pi then replies with C2 © si. P2 measures the time 
between sending ci © si and receiving the response. This 
process is repeated n times. The mutual DB procedure is 
considered successful if both parties verify all responses and 
match previously committed values (see 11251 for more de- 
tails). We take advantage of this optimization in constructing 
mutual GDB protocols. 

If prover authentication is required, public key signatures 
can be used to sign challenges and responses. The verifier 
validates the signature in the last step, as shown in Figure Q] 
The protocol succeeds only if the signature is valid. Public 
key identification schemes (e.g., Schnorr or Fiat-Shamir) can 
also be used as described in Q. 
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Figure 2: Group Distance Bounding Variants. 
2.2 Problem Statement and System Model 

We first present the general GDB problem statement and 
its variants, then describe our system and adversary models. 
Problem Statement: In general, GDB involves one or more 
provers interacting with one or more verifiers. The goal 
of verifiers is to accurately and securely establish distance 
bounds (DBs) to provers and, optionally, authenticate them. 
Provers are generally untrusted, i.e., they may behave ma- 
liciously by reporting false distances and identities. Each 
device can be a prover, a verifier or both, i.e., we take into 
account both one-way and mutual DB. We consider three 
GDB cases (see also Figure |2): 

1- MPNV: N verifiers establish DBs to M provers. 

2- 1PNV: N verifiers establish DBs to a single prover. 

3- MP IV: A single verifier establishes DBs to M provers. 
In mutual GDB, the two special cases (IPNV and MPIV) 
are equivalent and are called (l-to-M). In addition, there is 
a case where N peer nodes are required to establish mutual 
DB with each other; we call it mutual multi-party GDB. 
System Model: We make the following assumptions: 

- Coverage: All devices are within each others' transmission 
range. This is a common assumption in all DB literature, 
e.g., i][Il|23]|2l][II]|24). 

- Accuracy: Each device can implement distance bounding, 
i.e., is capable of fast and accurate processing - on the order 
of nanosecond^. 

- Keys: Each device has a public/private key pair and a cer- 
tificate binding the public key to its identity. (Applies only 
if authentication is required). 

- Collusion: Colluding provers do not reveal their secret keys 
to each other. (Applies only if authentication is required). 

- Interaction between Verifiers: In one-way GDB, verifiers 
know each others' locations or distances separating them. 
This is not required in mutual GDB. 

Adversary Model: We assume that the adversary is compu- 
tationally bounded and can not prevent nodes within its radio 
range from receiving its transmissions (i.e., not using direc- 
tional antennas). In one-way GDB, the adversary can only 
compromise provers. Verifiers trust each other in one-way 
GDB. In mutual GDB, all nodes are treated equally with no 
trust assumptions. Our adversary model covers the follow- 
ing attacks in one-way GDB settings (based on attacks in 
one-way DB g)): 

1- Distance Fraud Attack: A dishonest prover claims 

2 Possible using off-the-shelf electronics as in 1191 or using UWB 
ranging platforms e.g.fTl [T4l . 
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Table 1: Notation. 



to be closer than it really is. (Note that a prover can al- 
ways claim to be further by delaying responses.) The goal of 
this attack in one-way GDB is to shorten the distance from 
the malicious prover to one or more (or even all) verifiers. 

2- Mafia Fraud Attack: A form of a man-in-the-middle 
(MiTM) attack. The adversary, who is close to the verifier, 
interacts with it, while posing as the prover. In parallel, it 
interacts with the prover posing as the verifier. The goal is to 
fool the verifier into believing that the adversary is the prover 
located closer to the verifier than the actual prover. In one- 
way GDB, we consider a version of this attack where the 
adversary places one or more nodes between the prover(s) 
and one or more verifiers. The adversary aims to convince 
verifiers that these intermediate nodes are real provers which 
are located closer to them than actual provers. 
We consider the following attacks in mutual GDB settings: 

1- Passive Distance Fraud Attack: In mutual GDB with 
one group of N nodes, each node has to establish N — 1 
DBs. We assume that the adversary can compromise at most 
N — 2 nodes. The goal of this attack is for two (or more) un- 
compromised nodes to establish incorrect DBs to each other. 

2- Node Insertion Attack: The adversary inserts one or 
more fake nodes into the group. It succeeds if other "hon- 
est" nodes in the group accept such fake nodes as legitimate 
group members and establish DBs to them. Such DB should 
also be shorter than the real distance to these fake nodes. 



3. GDB BUILDING BLOCKS 

We first introduce a new building block primitive for con- 
structing secure and efficient GDB protocols, one-way pas- 
sive DB. We then consider an optimization to decrease num- 
ber of messages in GDB protocols, interleaved one-to-many 
mutual DB. By combining the two we construct the novel 
mutual multi-party GDB protocol. In mutual multi-party 
GDB each node, in a group of TV nodes, engages in a se- 
cure mutual DB protocol with its (N — 1) peers. Notation 
used in this paper is reflected in TableQ] 

3.1 One- Way Passive DB 

Whenever a prover and a verifier engage in a DB protocol, 
some information about their locations and mutual distance 
is leaked 11811 . We use this observation in the presence of 
multiple verifiers. We show that it is unnecessary for every 
verifier to directly interact with the prover (P) to establish 
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Figure 3: Messages Observed by Passive Verifier. 

a DB. If at least one active verifier (V a ) interacts with P, 
any other passive verifier (V p ) can deduce the DB between 
itself and P by observing messages between P and V a - We 
assume that V p and V a trust each other, know the distance 
separating them (or each other's locations) and are both re- 
quired to establish a DB to P. We address passive DB with 
untrusted verifiers in Section [53l 

Figure|3]shows how V p observes timings (Tj) of messages 
exchanged in a DB protocol between P and V a . V p can con- 
struct the following equations: 



Ti = 
T 2 = 
T 3 = 



to + t 



Va,Vp 



to + W a ,p + a p + tp,v P 

to + 2 • ty a ,p + ap + ay a + ty 



(1) 

(2) 
(3) 



where ap and ay a are processing times of P and V a , re- 
spectively (ideally apis equal to zero) and to is the protocol 
starting time. V p can determine time of flight for signals be- 
tween P and V a thus computing the distance between them: 

(T 3 - Ti) - a P - a Vc 



l v a ,p 



c ■ ty a p = c ■ 



(4) 



Where c denotes speed of light. For V a (and V p ) to measure 
the distance between itself and P, ap must be negligible (or 
constant) and knowt{| 

Overview of establishing a passive DB: V p uses time dif- 
ference of arrival (TDoA) of three messages, its own loca- 
tion and V a 's location to construct the locus of P's possi- 
ble locations (a hyperbola similar to other TDoA techniques 
lfl2l ). V p then determines the distance between V a and P (as 
shown in Equation |4]i and constructs a circle with a radius 
equal to that distance. This circle intersects with P's loca- 
tion locus at two points (sx and s 2 ). V p computes DB to P 
as the distance between itself and si (or safl 

Details of establishing a passive DB: We now demon- 
strate the details of the procedure. We also show that if P 
manages to cheat and shorten the passive DB established by 
V p , then the active DB established by V a must also be short- 
ened. Since the DB established by V a can not be shortened, 



Common assumption in DB literature, e.g., |41 IT41|231I21II18I|24I . 

4 If V p does not know V a 's exact location but only the distance to 
V a , then, instead of a sector of a circle, V p obtains an area between 
two circles with radii corresponding to furthest and closest points 
to V p on the hyperbola. In that case the larger radius will be used 
as a DB to P. 



a passive DB is as secure as the active DB established be- 
tween V a and P. Suppose V a is located at (x a ,y a ) and V p is 
at (x p , y p ). V p knows its own location and that of V a (hence 
the distance dy a .y ). Without loss of generality we assume 
(x a ,y a ) = (0, 0) to be the origin of a coordinate system. It 
follows that: 



dv a y p = \J {x p ~ x a ) 2 + {y p - y a ) 2 = ^ {x p ) 2 + (y p ) 2 

(5) 

We further assume that P is at (x, y). V p also knows that: 



d v p: p = \J{x- x p ) 2 + (y- y p ) 2 = yj {x) 2 + (d Va 



v„ - V? 
(6) 



y/[x - x a ) 2 + {y- y a ) 2 = ^/(x) 2 + (y) 2 (7) 



If three messages as in Figure [3] are received at times: 
T\,T% and T3, respectively, V p computes dy a .p as shown 
in Equations|4] V p also computes: 



c- (T 2 —Ti) = c-Si = dy at p + c-atp + dp t y -d 



v a ,v„ 



(8) 



Where c is speed of light. However, since dy a .p (Equations 
2| and dy a .v (verifiers know distances between them) are 
known, V p obtains: 



r = c • (Si — a P ) + d Va y p = d 



V a ,P 



l v„,p = 



V(x) 2 + (y) 2 + ^/(x) 2 + (d Va ,v p -yy 



(9) 



Which yields the following formula for the locus of P's 
possible location (which lies on a hyperbola due to TDoA 
EH): 



V 



dv a ,v P ^(d 2 VaiVp -T 2 )±T-^(4x 2 + 



4.,K- r2 ) 



(10) 

Note that DBy a ,p = dy a ,p is an upper bound on the dis- 
tance between P and V a . Using dy a ,p, V p can construct an- 
other equation for the locus of P's possible location (a circle 
around V a with radius dy a p): 



(x - x a ) 2 + (y - y a ) 2 = (d Va , P ) 2 



(11) 



V p can now establish a passive DB using the intersection 
of both loci (i.e., solving both equations [TTI and ITQb. This 
DB is the distance between V p 's own location (x p , y p ) and 
the intersection of P's loci described by equations QT| and 
[TOl This DB (DBy .p = dy ,p) will only be in a sector of a 
circle, not in the entire circle as in the case of an active DB. 

Substituting x = x a + (dv a ,p) 2 — (y — y a ) 2 (from equa- 
tion ITn> into equation [TUl the y-coordinate of P's location 
becomes: y oc (dv a .p) (same for P's x-coordinate). For V p 
to compute a wrong (shorter) DB to P, it has to have com- 
puted a shorter dy a .p- A shorter dy a .p requires DBy a ,p to 
have been computed shorter than the actual distance between 
P and V a (which is not possible as shown in Section [2~T1 i. 

To better illustrate this, Figures |4(a)| and |4(b)| show an 
example scenario. P (labeled Actual Prover in Figures) at 
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Figure 4: Establishing a Correct and Incorrect Passive DB. 



(—7, —7) is on one of several possible hyperbolas. The DB 
from V a at (0, 0) to P is shown as a circle around V a (labeled 
as Active Verifier in Figures). If P somehow cheats so that 
the passive DB is shorter, then this would require that the 
circle drawn around V p at (0, 10) intersects the hyperbola at 
a point ((—3, —1.5) in Figure |4(b)] i close to V p . This point 
will be inside the circle established by V a . If this is the case 
then the DB computed by V a has to be shorter than the actual 
distance to P which is not possible. If V p actively engages in 
a DB protocol with V a , it would get the circle shown around 
it in Figure |4(a)| However, in this passive case, it gets a sec- 
tor of that circle, which is the arc connecting the two points 
((—7, —7) and (7, —7)) where the computed hyperbola inter- 
sects the circle around the active verifier. We have shown in 
Section lXTl how active DB prevents the distance fraud attack. 
Since passive DB is as secure as active DB, it will prevent 
the distance fraud attack. Adding authentication to passive 
DB prevents the mafia-fraud attack because an attacker will 
not be able to authenticate itself to a passive verifier unless it 
also does to an active one. A passive verifier can utilize the 
same authentication mechanism as an active verifier. Active 
verifiers can use public key signatures (or public key iden- 
tification schemes) to authenticate provers, as described in 
Section 12.11 All necessary information (commitment, chal- 
lenges, responses and signatures) required to authenticate 
provers also reach passive verifiers. The only disadvantage 
is that a passive verifier does not send its own challenges. 
Passive DB remains secure because it assumes trusted active 
verifiers. If that is not the case, mutual one-to-many DB or 
mutual multi-party GDB can be used. 

3.2 Interleaved One-to-Many Mutual DB 

When one node engages in mutual DB with M other nodes, 
one-to-many mutual DB, the number of required messages 
can be reduced by interleaving challenges and responses to 
different nodes. We label the "one" node in this case the ini- 
tiator (Pi) and the other "many" nodes (M) the "participants" 
(Pj, j £ {1, ...,M}), Pj performs mutual DB with each Pj\ 



however, the last message of the interaction with one Pj is 
used as the first challenge of the interaction with Pj+i. This 
process can be generalized for M parties, one initiator and n 
rounds, resulting in a protocol with n ■ (2M + 1) messages. 
This would have required n ■ (AM) or n ■ (3M) messages if 
pairwise single prover single verifier DB or interleaved sin- 
gle prover single verifier DB were used respectively. 

3.3 Mutual Multi-Party GDB 

The obvious approach to establish mutual DBs between 
every pair of nodes, in a group of N nodes, is to perform 
it sequentially between each pair. This requires 2n ■ N ■ 
(N — 1) messages and is insecure. A malicious node, act- 
ing as a prover, can selectively delay messages to another 
specific node acting as a verifier. This yields a larger DB, 
to that node only, and results in false localizations if multi- 
lateration is used as shown in |8j|. One can interleave chal- 
lenges and responses to reduce the number of messages to 
(2n+i)-N-(N-i) ^ se j ect j ve delaying G f responses will still 
be possible. Our protocol, mutual multi-party GDB, relies 
on the broadcast nature of the wireless channel and takes ad- 
vantage of message overhearing and appropriate timing of 
challenges and responses. All nodes simultaneously engage 
in the same protocol. The protocol combines passive DB and 
interleaving of challenges and responses (similar to Section 
13.21 to reduce message complexity from 0(N 2 ) to O(N) 
without sacrificing security. 

We begin with a simple four-node example, shown in Fig- 
ure |5] Each node (k) first generate n random bit strings 
(bi t k), each of length I. Each node broadcasts a commitment 
to these bit strings. These commitments are hashed and used 
by nodes to order themselves in a logical ring. This ordering 
determines the sequence in which nodes send and respond 
to challenges. In Figure [5] nodes order themselves clock- 
wise starting from Pi to P4. Pi starts and sends the first 
of its generated bits strings (61,1) as a challenge to its left 
logical neighbor P2 (message 1). P2 computes and sends 
the reply (rp2,i) to Pi using its own first bit string (61,2) 
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and the challenge bit string (61,1) received from Pi, i.e., 
message 2 is rp2,i = &i,i © &i,2- P3 uses the reply from 
P2 to P\ as a challenge and computes its own reply to P2 
(T3,2 = &i,3 @ rp2,i) and broadcasts it as message 3. P4 
uses this reply {rpz,2) as a challenge from P3 and computes 
its own reply (rp4.3 = 614 © 7773,2) and sends it to Pi as 
message 4. Pi then replies to P4 with message 5 containing 
r PiA = &2,i © T4,3- The process is repeated again counter- 
clock wise but using the second bit string. All challenges 
and responses are broadcast and all nodes receive and record 
them. Nodes only respond to challenges from their imme- 
diate logical neighbors. Once a node computes all required 
DBs, it broadcasts them with a hash of all received chal- 
lenges and responses (and optionally signs them if authen- 
tication is required). This will require four additional mes- 
sages. We note here that each node independently computes 
DBs to other nodes based on linear equations constructed 
from the reception times as illustrated in Linear equations 
can be solved with standard automated methods, e.g., Gauss 
elimination or Gauss-Jordan elimination. Table [2] Nodes 
do not rely on any reported measurements from other nodes, 
hence the same model of distrusting a node acting as a prover 
as in the original DB protocol holds. 

Any mutual DB protocol for four nodes will require four 
commit (and four de-commit) messages which are not shown 
in Figure [5] The main difference is in number of messages 
in the rapid bit exchange phase. In Figure|5]a total of 8 mes- 
sages are required in that phase, in the case of sequential 
pairwise DB 24 will be needed and 18 in case of sequential 
DB with interleaving. The process can be generalized to the 
case of N nodes. The total number of messages for the gen- 
eral case of N nodes and n rounds in the rapid bit exchange 
phase i f§ n ■ (2N). Additionally, 2N messages are required 
for the commitments and decommitments to make sure that 
every node has used the random bits it generated and has 
computed DBs correctly. 

Security: The mutual multi-party GDB protocol is secure 
against distance-fraud and passive distance fraud attacks as 
long as the group contains at least two honest neighboring 
nodes (in the logical ring). A malicious node launching any 
attacks will be detected by these two (or more) honest neigh- 
bors because the active DB between them can not be influ- 
enced by any other node. When immediate neighbors of a 
node exchange messages with their own neighbors, that node 
establishes passive DBs on these two-hop neighbors. These 
DBs are established passively and can not be affected by any 
other node because, as we have shown, passive DB is as se- 



5 This can be derived by analyzing the construction of linear equa- 
tions from observing messages. Any node can construct 2N — 2 
independent equations from time of arrival of 2N consecutive mes- 
sages (as each node sends two messages). These equations have 
2N — 2 unknowns, TV unknowns for time of flight between pairs 
of neighboring nodes and TV — 3 between the observing node and 
every other node (see in Figure^. There's an additional unknown, 
the variable to, corresponding protocol starting time. These equa- 
tions can be solved resulting in a unique solution. 
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Figure 6: Breaking down Mutual Multi-party GDB into 
Passive DBs. 

cure as active DB. This process is repeated until all DBs are 
established. The example in Figure [6] shows how node Pi 
uses interactions between different nodes in the group to es- 
tablish a DB on each of them. Pi establishes DB directly 
with its neighbors P2 and P§, it then uses the messages ex- 
changed between P2 and P3 to establish a passive DB on P3 
and those between P 3 and P 4 to DB P 4 and between P4 and 
P5 to DB P 5 . This process is carried out by each node in- 
dependently during the protocol at different times resulting 
in secure DBs established to other nodes. The description 
of Figure [6] is simplified to convey the intuition. In real- 
ity, when solving linear equations constructed from TDoA 
of messages, several equations resulting from different inter- 
actions will be used in computing each DB to a non neighbor 
(details are shown in Table [2]). For example, in Table [2 Pi 
uses equations of Tj, T3 and Tg to DB P3, as opposed to T3 
only as in the simplified explanation (Figure[6]). 

To demonstrate how attacks can be detected consider how 
each node computes DBs from the arrival times of messages 
as shown in Table [2] Assuming Pi, P2 and P4 are honest 
and P3 is malicious. P3 can launch attacks by delaying its 
messages (number 3 and 7) by 8\ and 82 respectively. This 
attack will be detected because DBp 1 p 2 computed by Pi, 
and that computed by P2 will not be the same. This will be 
detected when nodes broadcast their computed DBs at the 
end of the protocol. Pi will compute DBp x p 2 = T2/2 = 
tp 1 .p 2 (from message 2 in the column for Pi), whereas P2 
will compute DB Pu p 2 = T 5 - tp 2: p 3 - tp 3 . Pi - t PuPi = 
tp lt p 2 — (#i + 4?-) (from messages 5 and 3 and steps (a) and 
(b) in the last row of the column for P2). A similar detection 
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Ti — ^ "I - ^ P^ , P3 


-^"l — i ""I - ^ P\ , P 4 


2 


T2 — 2tp 1 ^p 2 — > DBp 1; p 2 


Sender 


T2 — to -f- ip-,^ ,p 2 + tp 2 ? p 4 + ip 2 ^p 3 


T2 — to + ^P! ,P 2 


3 


^3 = tp-\ , p^ ~t~ tp?,p^ ~\~ ip^,p-[ 


— 2t p,-, | Pjj >■ X) B Pr, _ p 3 


Sender 


^~3 — ^0 ~t~ ^P-| ,Pq ~i~ tp^.P^ ~t~ ^P3,P 4 


4 


T 4 — tp Xj p 2 + tp 2 ,P3 + ^3,^*4 
+ ^4^1 


7*4 — *P 2 ,P3 + *P3,P4 + tP2.P1 
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7 
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= 2tp 3 ,p 4 

(c) T 6 — £p 2 ,p 3 — ^p 3 ,p 4 

— 2tp lt p i = tp 2l p 4 -> DBp 2 ,p 4 

(d) T 5 — *p 2 ,p 3 — *p 3 ,p 4 
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Cal TV. 9+ >-, r-, 9f r-, n 
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— tp 1 ,p 4 — 2tp 1: P 3 

— s- DB Pl p 3 
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Table 2: Message Reception Times and Constructed Equations in the Mutual Multi-Party GDB Protocol for Figure 

IH(£i,j = tj,i> tx, y — > DB x . y means that DB x , y can be directly computed from t x , y , the last row shows additional 
computation required to establish the DBs). 



will occur between Pi and P4 but based on DBp 2 ,p l . Even 
if P3 and P4 are both malicious and colluding, the attack 
will be detected because DBp 1 p 2 computed by P 2 will be 
DBp 1 p 2 = tp 1 p 2 — 4f (assuming P 3 delays its messages 
by 5i and 62 respectively, whereas P 4 delays its message by 
5s and ($4). Variations in computed DBs can be detected if at 
least two honest nodes are neighbors in the constructed ring. 

Node authentication in this protocol can be achieved using 
traditional public key signatures. Each node initially broad- 
casts its public key certificate in the commitment phase. Once 
all (2nN) protocol rounds are completed, each node hashes 
all exchanged challenges and responses and signs the result- 
ing hash. Recall that all nodes receive all challenges and 
responses due to wireless broadcast. All signatures are then 
broadcasted and each node verifies N — 1 signatures. All 
nodes are authentic if all signatures verify successfully. 

4. DB EXTENDED TO GROUP SETTINGS 

We now show how to construct protocols for the two most 
general GDB cases: (1) M provers and N verifiers (MPNV) 
in one-way GDB, and (2) NtoM in mutual GDB. All other 
cases can be obtained by setting the values of N and M as 
desired. For comparison, we consider a basic GDB proto- 
col where nodes sequentially engage in a naive single prover 
single verifier (mutual) DB. In each case we propose an al- 
ternative approach based on passive DB, mutual multi-party 
GDB or one-to-many mutual DB. We assume that n rounds 
of DB are required in all cases. 

4.1 One-Way MPNV GDB 

In this case nodes either act as provers or as verifiers. 
The goal at the end of the protocol is for all N verifiers 
to have DBs to all M provers. In a naive MPNV proto- 
col, each prover interacts sequentially in n rounds of DB 
with each verifier. This is repeated until all provers have 



interacted with all verifiers. The total number of messages 
is: (2n ■ N ■ M). When constructing a protocol for this 
group setting based on passive DB there are two parameters 
to consider: (1) the number of active and passive DB rounds 
performed by each verifier and (2) how the active verifiers 
are selected (i.e., deterministic or probabilistic). The second 
parameter does not affect the challenges and responses and 
how every node performs DB but has an effect on the se- 
curity if verifiers are compromised (discussed in Section|5]l. 
Active verifiers can be selected randomly or by any leader 
election protocol (e.g., lfT6l ). the rest will be passive veri- 
fiers. Other strategies could be explored but are out of scope 
of this paper. The number of active verifiers, active rounds 
and how many perform passive rounds affects the number of 
messages required, the time needed for completing the pro- 
cess and the security of the DB. If all verifiers are treated 
equally two parameters can be used to describe a general 
protocol: (1) the number of active verifiers and (2) the num- 
ber of active rounds by each verifier. If each of the N veri- 
fiers is required to perform n rounds of DB, we call the num- 
ber of active rounds n a (and passive rounds n p = n — n a ). 
We denote with d a the fraction of verifiers which perform 
n a active rounds. The remaining verifiers perform passive 
rounds. Each verifier will have (d a ■ (N — 1) • n a ) oppor- 
tunities to execute passive DB with each of the M provers. 
Two interesting cases are obtained by setting d a = 1/N and 
n a = n, only one verifier interacts actively with all provers, 
and by setting d a = 1 and n a = n/N all verifiers interact 
equally with all provers. By varying these two parameters 
(n a and d a ) one can obtain a protocol with the required se- 
curity level and less messages than sequential pairwise inter- 
action (performance and security analysis in Section[5]l. 

4.2 Mutual NtoM GDB 

In the general case of NtoM mutual DB there are two 
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Setting 


Base Case 


Our Protocol 




Number of Messages 


Number of Messages 


MPNV 


2n • N ■ AI 


(2n a + 1) ■ (JV- d a ) ■ M 


1PNV 


(2n + 1) • N 


(2n a + 1) • N ■ d a 


MP1V 


(2n + 1) • M 


.(„_((M-l)-j)) 


LtoM 


in ■ M 


n ■ (2Af + 1) 


NtoM 


in ■ N ■ M 


2n ■ (N + AI) 



Table 3: Number of Messages in GDB Protocols. 



groups, Gi and G2, of N and M nodes respectively. AW 
nodes in G\ are required to establish DBs to each of the 
nodes in G2 and vice versa, i.e., there is a total of 2N ■ M 
(but TV • M unique) DBs to be established. There are three 
approaches to construct GDB protocols for this setting: (1) 
based on one-way passive DB, (2) mutual multi-party GDB 
or (3) one-to-many mutual DB. 

(1) NtoM Using Passive DB: A fraction (di) of nodes in 
Gi, d\ ■ N, will establish n a \ active and n p i passive DB 
rounds with each of the M nodes in G2. The rest of the 
(1 — d±)N nodes in G\ establish only passive rounds. This 
step involves one-way DB so at the end only nodes in G\ 
will establish DBs to nodes in G2. Nodes in G2 are required 
to perform a similar step where g?2 ■ M nodes establish n a 2 
active and n P 2 passive rounds of DB with each of the N 
nodes in G-y. The rest of the (1 — dz)M nodes in G2 estab- 
lish only passive rounds. After this step all nodes in G2 will 
have established one-way DBs to nodes in G\. This proto- 
col requires nodes in Gi to trust each other and know each 
other's locations or distances separating them (same for G2). 

(2) NtoM Using Mutual Multi-Party GDB: All the nodes 
in both groups can be regarded as one group of size N + M. 
The N + M nodes can engage in a mutual multi-party GDB 
protocol as shown in Section [3~3l i.e., the general case of the 
example of Figure Such a protocol will require 2n(N + 
AI) messages. At the end each node will have DBs to all the 
N + AI — 1 other nodes. Some of these DBs are not required, 
since we assumed that nodes in Gi (and G2) don't perform 
DB on other nodes in the same group. 

(3) NtoM Using One-to-Many Mutual DB: Each of the N 
nodes in Gi engages in a one-to-many mutual DB protocol 
described in Section l3~2l with all M nodes in G2. This is a 
one-to-many mutual DB, so all nodes in G2 will also estab- 
lish a DB to each node in G\ . The total number of messages 
in such a protocol will be: nN ■ (271/ + 1). 

5. PERFORMANCE AND SECURITY ANAL- 
YSIS 

We first analyze performance of proposed GDB protocols. 
We then consider security of active DB in group settings, 
passive DB with untrusted verifiers and their combination. 
Our GDB protocols either use mutual multi-party GDB or 
a combination of passive and active DB. Their security can 
be understood by analyzing the underlying mechanisms and 
combinations thereof. Correctness and security of passive 
DB and mutual multi-party GDB are analyzed in Sections 



13. ll and [3~3l respectivelv. 

5.1 Performance of GDB Protocols 

Table [3] compares number of messages required in one- 
way and mutual GDB protocols to the base case (running 
pairwise DB between nodes). Table |4] shows total time re- 
quired to compute all DBs. We compare against this base 
case because there are no previous proposals for GDB. Our 
NtoM protocol in both tables is based on mutual multi- 
party GDB. Our proposals require fewer messages and de- 
pend on the fraction of active verifiers and active rounds 
performed. In the MPNV case, only (n a ■ d a ) messages 
are required, where n a is the fraction of active rounds per- 
formed by the fraction of active verifiers, d a . Figure |7(c")1 
shows how the number of messages increases as a function 
of the fraction of active rounds and active verifiers (M=10 
pro vers and N=10 verifiers and n=10 DB rounds). Figure 
|7(d)| shows how the number of messages varies with the 
number of provers and verifiers (to illustrate this dependency 
we assume that number of provers is the same as number of 
verifiers, N = M, and that fraction of active rounds is equal 
to fraction of active verifiers, n a — d a ). In the case of 60 
nodes (30 provers and 30 verifiers) if the fraction of active 
verifiers and active rounds is reduced to 0.8, 33% of mes- 
sages can be saved. Decreasing this fraction to 0.6 saves 
more than 55% of messages. Similar savings are also attain- 
able for lower and larger numbers of provers/verifiers. 

5.2 Security of Active DB vs Mutual Multi- 
Party GDB 

The probability of a single prover successfully cheating 
a single verifier decreases exponentially with the number of 
DB rounds (n) in an active DB protocol. For n rounds a 
prover has 2~" chance to successfully guess all challenge 
bits and send responses ahead of time. This tricks the verifier 
into measuring a shorter round trip time of flighj§. A Veri- 
fier in an active DB protocol does not have to trust any other 
entity. In group settings where each pair of provers verifiers 
engage in an active DB protocol, these security guarantees 
still hold. However, active DB in group settings is insecure if 
used for localization. When a prover actively interacts with 
each verifier separately, it can selectively enlarge its distance 
by delaying messages. Verifiers will incorrectly localize the 
prover using such DBs. Secure-localization schemes must 
always require at least three verifiers to interact with the 
prover simultaneously. The mutual multi-party GDB proto- 
col achieves this by design. In mutual multi-party GDB all 
nodes participate simultaneously in the same protocol and 
overhear each other's messages. A node can not selectively 
delay messages to other nodes, it can either delay them to all 
nodes or none. 



6 2 ™ is the probability for Brands-Chaum protocol |4), whereas 
in some other protocols like Hancke-Kuhn (T3), this probability is 

(3/4)-. 
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Table 4: Time Required in GDB Protocols. 



Security of Passive DB with Untrusted Ac- 
tive Verifiers 



Passive DB with untrusted verifiers is mainly useful in 
MANETs, where nodes continuously encounter new peers. 
Passive DB is secure if the active verifier behaves honestly 
and is trusted as shown in Section IXT1 This will be the case 
in a fixed (or mobile) verification infrastructure with prior 
security association, or under the control of one administra- 
tive entity. A malicious active verifier can undermine secu- 
rity of passive DB as follows: 

(1) Reporting a Fake Location (or Distance): A passive 
verifier requires the exact location or the distance to the ac- 
tive one in order to be able to construct the DB as shown in 
Section 13.11 The passive verifier will wrongfully compute 
the hyperbola (in Equation [TUb, if the active verifier reports 
an incorrect location or distance, leading to a wrong passive 
DB. 

(2) Sending Early Challenges: Even if the active verifier 
reports its location or distance correctly, it can send new 
challenges prematurely. This leads the passive verifier to be- 
lieve that the prover is closer than it actually is (as shown in 
Figure[3]l. V p wrongfully computes the distance dy a .p inter- 
secting incorrectly with the hyperbola (as shown in Figure 
|4(a)[ ), and leading to a wrong DB. 

An essential aspect of passive DB is implicit trust that 
the active verifier is behaving honestly, i.e., not cheating by 
performing either of the previous two attacks. We devise a 
metric, the DB Correctness (DBC), to illustrate the effec- 
tiveness of passive DB in the presence of such attacks. We 
define DBC for n rounds of passive DB as follows: 



DBC =1- 2 n - { - Pr - h{Va) - 1) 



(12) 



where Pr c h(V a ) is the fraction of rounds in which V a 
cheats. Note that cheating in passive DB is different than 
in active DB. In active DB, P is the one cheating, whereas 
in passive DB we are concerned with the case where V a is 
the one cheating. When V a does not cheat in any DB rounds, 
Pr ch (V a ) will be and DBC = 1 - 2" n . When V a cheats 
in all DB rounds Pr ch {V a ) will be 1 and DBC = 0. The 
average correctness {DBC avg ) in a DB to a given prover, 
obtained by a passive verifier, in the case of N active veri- 
fiers (V ai , V a2 ...Va N ,) (each engaging in ni,n 2 ...n N rounds 
of DB respectively) is computed as the average of individual 



DBC for each verifier: 

N _sr N 2™>-(^ ch (v a (i))-i) 

1 



DBCavq — 



N 



(13) 



Figure |7(a)| shows how DBC avg is affected by varying 
fraction of rounds in which active verifiers cheat (x-axis) and 
the fraction of cheating active verifiers. In the case consid- 
ered (10 verifiers and 10 DB rounds) even if 50% of the ac- 
tive verifiers cheat in 50% of their rounds, the DB will be 
established correctly over 98% of the time. As long as less 
than half of the active verifiers cheat in less than 90% of their 
rounds, the DB will be correct more than 70% of the time. 

5.4 Combined Passive/Active DB Security 

When a verifier performs n a active rounds and n p passive 
rounds both can be combined to obtain a more stable DB. 
We estimate the correctness in such a combined DB using 
a metric (DBC a / p ) as follows (note that both passive and 
active rounds have to result in the same DB): 



DBC, 



a/p 



1 - (2~ n ° 



y-Jv 2np(i) .(Pr c »(l/«(i))-l) 



N 



(14) 



If all other active verifiers cheat in all their DB rounds, 
DBC a j v becomes that of the active rounds performed by 
a verifier only, i.e., 1 — (2~ ,la ). Otherwise the likelihood 
of correctness of the established DB increases with any ad- 
ditional passive rounds. Figure [7(b)| shows how the DB is 
affected by cheating of active verifiers during passive DB by 
showing how DBC a / p changes. In the case considered (10 
verifiers) even if only two rounds of active (n a ) DB are per- 
formed and as long as the fraction of rounds being cheated 
in is less than 1 correctness of the DB captured by DBC a / p 
increases. Even if the probability of cheating in passive DB 
rounds is as high as 0.5, DBC a / p will increase to over 0.95 
if there are four or more opportunities to do passive DB. 

6. RELATED WORK 

DB was first proposed in ||4) to enable a single verifier to 
determine an upper-bound on the physical distance to a sin- 
gle prover and authenticate it as summarized in Section |2~T1 
Several optimizations and studies of DB were then consid- 
ered. In particular, [18] studied information leakage in DB 
protocols as a privacy problem that should be avoided. In 
our work, we start from this observation to construct pas- 
sive DB and the mutual multi-party GDB protocol. 11251 
proposed a mutual DB protocol by interleaving challenges 
and responses but also between a single prover and a single 
verifier. ll23l . ETI and J6) investigated using DB protocols 
for location verification and secure localization with three 
verifiers. The setting in 11231 is a special case of MPNV 
with M = 1 and N = 3. l20l investigated the so-called 
"in-region verification" and claimed that, for certain appli- 
cations, such as sensor networks and location-based access 
control, in-region verification is a better match than location 
determination. J8) and Q considered collusion attacks on 
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Figure 7: (a) DBC atig (Equation [13) and (b) DBC a / p (Equation [14) vs Probability of Cheating in Rounds with Ten 
Verifiers (N=10); (c) and (d) Number of Messages in Passive DB based MPNV Protocol 



DB location verification protocols. Other work, such as 11261 
looked at using time difference of arrival (TDoA) to deter- 
mine location of transmitters. |26l proposed using TDoA in 
the context of Ultra-Wideband (UWB). The work in ll24lll4l 
recently implemented the first RF based TDoA secure local- 
ization system using commercial off-the-shelf UWB ranging 
devices. DB was also studied in the context of ad-hoc net- 
works (e.g., 11251 ). sensor network (e.g., |[T5l 0) and RFID 
(e.g., J9) iTPTl ) applications. Finally, DB has been used to 
develop secure proximity based access control protocols for 
implementable medical devices in (17] and implemented us- 
ing commercial off-the-shelf electronic components in |[T9l . 

To summarize, our work differs from prior results, since: 
(1) we introduce for the first time passive DB and the mutual 
multi-party GDB protocol which are more suitable for group 
settings, (2) we consider general GDB cases with multiple 
provers and multiple verifiers (in the one-way and mutual 
DB settings), (3) we study a large spectrum of possible pro- 
tocol designs and (4) consider node authentication in both 
one-way and mutual GDB. 

7. DISCUSSION AND CONCLUSION 

This paper presents the first investigation of group dis- 
tance bounding (GDB). GDB is a fundamental mechanism 
for secure operation in wireless networks where verifying 
distances between, or locations of, groups of nodes is re- 
quired. We have shown how to construct protocols that are 
more efficient and secure than applying existing DB tech- 
niques in group settings. We made minimal assumptions 
about GDB settings to make our proposals as general as pos- 
sible. However we acknowledge two open issues: (1) It re- 
mains an open question whether a passive verifier can pas- 
sively establish a DB without knowing the location of (or 
distance to) an active one, while perhaps knowing other in- 
formation about distances to other nodes. (2) We have not 
addressed denial-of-service attacks in group settings (i.e., 
noisy environments). We note though that single prover sin- 
gle verifier DB in noisy environments has been addressed in 
both the one-way and mutual cases in |[T3ll22l . 
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